Digital resilience: Integrating GRC technology into your ERM framework
During the ERM Virtual Summit, we explored ways to use enterprise risk management (ERM) strategies to build long-term business resilience, how to anticipate emerging risks, and the role employees play in developing a proactive risk-aware culture at their organizations.
For our final panel discussion, we focused on how to embrace governance, risk and compliance (GRC) technology to enhance and mature an ERM program in the digital era.
I was joined by Tom Faraday, the Director of Product Management for Audit, Risk and Compliance for Diligent, and three of our ERM customers:
- Morgan Sherrill, the SVP and Director of Enterprise Risk Management at Veritex Community Bank
- Curtis McNeil, the Risk Management Officer at the Architect of the Capitol.
- Rouzbeh Faramarzian, the Chief Risk and Compliance Officer (nominee) at Daiwa Capital Markets Europe.
Here are a few highlights from our conversation.
Leveraging GRC software to enhance ERM
Each of our three panelists had already implemented GRC software to boost their respective ERM programs, but I was curious to know what inspired them to do so and what features they wanted most.
Sherrill kicked things off by stating that she wanted the ability to relate items across the entity. “It’s essential to be able to relate a product or process in your entity to various software assets, vendors or policies. If you do that, and there’s an outage or a BCDR event with a particular vendor, you know exactly which products or lines of business have been affected.”
Speaking specifically about Veritex Community Bank, Sherrill noted that GRC software was critical because “it’s a more efficient and effective way to track changes in your risk profile across the entity, without having to split off into various Teams calls to discuss information retained in different spreadsheets by all your different departments.”
The Architect of the Capitol, a government agency, also had sought out software that would help mature their ERM program overall.
“We wanted to find ways to be more efficient and effectively use data across the enterprise,” said McNeil. “We developed a risk data analytics strategy, which was ultimately a set of capabilities and tools, to help the organization leverage our data assets to inform decision-making.”
The features and functionality his team needed in a tool had to take risk management to the next level, he said. “We wanted to improve our risk monitoring and streamline risk reporting and do so in an efficient system. That way, we can communicate with the decision-makers more effectively as we start to shape the narrative and tell the story around where the risks lie.”
GRC implementation
Our panelists work in varied industries, with different requirements and regulations. Each had unique insight to share on integrating Diligent GRC software at their organization.
McNeil described the process as “easy and seamless.”
“It was a situation where, like the old quote says, ‘Success occurs when opportunity meets preparation,’” he said. “It was a collaborative effort, as my CISO was in the process of implementing a GRC tool. When he realized there were modules within the tool that the risk team could leverage, he introduced me to the software vendor.”
Sherrill, working in the financial industry where scrutiny is high, believes that “implementing a GRC platform has really helped us mature the level of reporting we are able to provide, and it helped us to more effectively communicate to the board.”
Faramarzian focused on the concept of embeddedness when integrating a GRC platform at his organization. He asked, “Are we in a better state in demonstrating embeddedness of operational risk management, and understanding of that, than we were before we implemented that GRC solution?”
Strengthening resilience by integrating GRC technology
To close our conversation, I asked each panelist to give a final piece of advice to organizations that want to use GRC technology to strengthen their ERM programs’ resilience.
Partnership is important, according to Faramarzian. It was a key differentiator when he was evaluating vendors a long time ago. "[Which vendor] wants to partner with me?” he asked. "Did they take time to understand my vision and how I want the framework to operate going forward? Does that tie well to their ambitions and how they want to proceed? Those are exploratory conversations to start with before you get into buying a product.”
“After partnership,” he continued, “what you need is familiarity and stability, as a GRC solution is not something that you want to be changing frequently. The firm you choose is as important as the framework that you are implementing within the solution.”
Sherrill agreed, and noted that timing and objectives matter, too. "If you do not know what your framework is, what your deliverables are and what the mission is, it's too early to look at a GRC solution,” she said.
"You need to know what's important to your organization,” McNeil added. "On the ERM capability side, you need a true understanding of your current maturity levels and your desired future state. Not having clarity in those areas could significantly impact your ability to successfully integrate a GRC tool into your ERM frameworks.”
“Know who you are so you can see where you're going,” he concluded.
To understand what to look for in an ERM solution, download our free buyer’s guide to ERM software.
